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ABSTRACT 


The  Byzantine  Generals  problem  involves  a  system  of  N  processes,  t  of  which  may  be  unreliable. 
The  problem  is  for  the  reliable  processes  to  agree  on  a  binary  value  sent  by  a  "general",  which  may 
itself  be  one  of  the  N  processes.  If  the  general  sends  the  same  value  to  each  process,  then  all  reliable 
processes  must  agree  on  that  value,  but  in  any  case,  they  must  agree  on  the  same  value.  We  give  an 
explicit  solution  for  N  =  31+1  processes,  using  2t  +  4  rounds  and  Oft3  log  t)  message  bits,  where  t 
bounds  the  number  of  faulty  processes.  This  solution  is  easily  extended  to  the  general  case  of  N  > 
3t  + 1  to  give  a  solution  using  2t  +  5  rounds  and  0(tN  +  T3log  t)  message  bits. 

1.  Introduction 

The  Byzantine  Generals  problem  (or,  the  problem  of  "assuring  interactive  consistency")  is 
defined  in  [PSL].  It  is  assumed  that  there  are  N  isolated  processes,  of  which  at  most  t  are  faulty.  The 
processes  can  communicate  by  means  of  two-party  messages,  using  a  medium  which  is  reliable  and 
of  negligible  delay.  The  sender  of  a  message  is  always  identifiable  by  the  receiver.  The  problem  is  for 
the  nonfaulty  processes  to  agree  on  a  binary  value  sent  by  a  "general",  which  may  itself  be  one  of  the 
N  processes.  If  the  general  sends  the  same  value  to  each  process,  then  all  reliable  processes  must 
agree  on  that  value.  If  the  general  sends  different  values  to  different  processes  (i.e.  the  general  is 
"faulty”),  then  all  reliable  processes  must  agree  on  some  value. 

Algorithms  for  solving  this  problem  are  surprisingly  difficult  to  devise.  The  difficulty  is  that  faulty 
processes  can  provide  conflicting  information  to  different  parts  of  the  system.  This  fact  causes 
simple  solutions  based  on  majority  voting  to  fail,  since  a  faulty  process  could  cause  two  nonfaulty 
processes  to  decide  that  the  majority  voted  in  opposite  ways. 

An  efficient  solution  to  the  Byzantine  Generals  problem  would  be  a  valuable  tool  for  the 
construction  of  reliable  computer  systems.  Such  systems  should  be  able  to  handle  malfunctioning 
components  which  provide  conflicting  information. 

The  algorithms  in  the  earliest  papers  on  this  problem  [PSL,  LSP]  seem  to  be  quite  expensive,  both 
in  terms  of  number  of  message  bits  (exponential  In  t,  the  number  of  faults)  and  time  (t  + 1  rounds  of 
synchronous  message  exchange).  This  is  true  even  in  the  presence  of  certain  authentication 
capabilities.  It  is  shown  in  [FL],  in  the  simplest  case  of  non  authenbcated  communication,  that  U 1 
rounds  are  optimal,  for  worst-case  algorithm  behavior.  This  lower  bound  result  is  extended  in  [DS, 
OLM)  to  the  case  in  which  arbitrary  authentication  capabilities  are  allowed.  Thus,  there  is  no  way  to 
improve  on  the  number  of  rounds  in  the  earlier  algorithms. 
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The  more  serious  drawback  of  the  earlier  algorithms  is  the  large  amount  of  message  traffic  which 
is  sent  among  the  processes.  There  is  essentially  no  structure  to  the  information  which  is  exchanged 
in  those  algorithms;  processes  repeatedly  broadcast  everything  they  know,  and  then  apply  certain 
decision  functions  to  the  final  results.  It  is  obviously  desirable  to  discover  ways  of  summarizing  the 
information,  only  sending  what  is  relevant. 

The  first  solution  which  requires  an  amount  of  communication  polynomial  in  the  number  of  faults 
appears  in  [DS].  The  authors  summarize  the  information  in  clever  ways,  and  obtain  a  solution  which 
uses  4t+4  rounds  and  0(n4  log  n)  message  bits.  (Their  solution  can  easily  be  modified,  using  the 
same  trick  we  use  in  Section  3.,  to  use  4t+5  rounds  and  0(tN  +  t4  log  t)  message  bits.) 

In  the  present  paper,  we  use  many  of  the  ideas  of  [OS],  plus  several  new  ones,  to  devise  another 
solution  with  polynomial  communication.  Our  solution  uses  only  2t  +  5  rounds,  and  0(tN  +  t3  log  t) 
message  bits,  thus  giving  important  savings  both  in  time  and  amount  of  communication.  In  addition, 
we  think  that  the  new  algorithm  is  considerably  simpler  than  the  algorithm  of  [DS]. 

We  do  not  know  if  our  algorithm  is  optimal;  in  particular,  we  have  so  far  been  unsuccessful  at 
removing  the  factor  of  2  which  separates  the  number  of  rounds  used  by  our  algorithm  from  the  known 
minimum. 


2.  The  Model 

Let  [N]  denote  {1,...,N}. 

We  model  a  Byzantine  Generals  algorithm  as  a  synchronous  system  of  automata.  Such  a  system 
*  S  is  described  by  the  following: 


N  -  the  number  of  processes; 

Q  a  (O, . Qn)  -  the  state  sets  of  each  of  the  N  processes; 

qO  •  (q01 . qty  --  initial  states  for  each  process  indicating  the  general’s  value  Is  "0", 

ql  >  (q11,...,qlN)- Initial  states  for  each  process  indicating  the  general's  value  Is  "1", 
F  ■  (F1t...,FN),  where  each  F,  £  Q,  ••  accepting  states  tor  each  process, 

M  *  (Mv...,Mn)  ••  the  seta  of  possible  messages  which  each  process  might  send, 
fiy.  Q,  M)(  M  €  [N]  ••  the  message  generation  functions, 
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and 


(where  describes  messages  sent  from  process  i  to  process  j) 


Qj  X  M1  X...X  Mn  — ►  0|,  j  C  [N]  -the  state  transition  functions. 

Let  T  C  [N],  and  let  v  €  {0,1 ,?}.  (T  is  the  set  of  reliable  processes  or  "truthtellers",  and  v  is  the 
general’s  value.  A  value  of ’?’  indicates  that  the  general  himself  is  unreliable.)  A  sequence  of  state 
vectors  q(0),  q(1), ...,  q(R)  is  an  G  round  (T.vYcomputalion  if  there  exist  messages  m.  .(r)  €  M„  i,j  € 
[N],  0  <  r  <  R,  such  that 

1.  INITIALIZATION: 

If  v  *  0  then  q(0)  =  qO. 

If  v  =  1  then  q(0)  =  ql. 

If  v  *  ?  then  q,(0)  €  {qO,,  ql,},  for  all  i  €  [N]. 

2.  CORRECT  MESSAGES: 

For  each  r,  0  ^  r  <  R  and  each  i  €  T,  j  £  [N],  m^fr)  »  p{ j(q,(r)). 

3.  CORRECT  TRANSITIONS: 

For  each  r,  0  ^  r  <  R,  and  each  j  €  T,  q}(r + 1)  «  f.(q.(r),  mfJ(r), ....  mNJ(r)). 

We  say  that  S  solves  the  Byzantine  Generals  problem  in  R  rounds  if  for  every  T  C  [N]  with  |T|  ^  N-t, 
every  v  €  {0,1,?},  and  every  R-round  (T,v)-computation  q(0),...,q(R),  the  final  state  vector  q(R) 
satisfies  the  following: 

1.  AGREEMENT:  If  i,j  €  T,  then  q.(R)  €  F,  iff  q,(R)  €  Fj. 

2.  VALIDITY:  If  v  */?,  then  for  all  i  €  T,  q,(R)  €  F,  Iff  v  -  1. 

Intuitively,  a  step  or  round  of  the  computation  takes  place  in  two  phases.  First,  every  process 
sends  a  message  to  every  other.  Secondly,  each  process  changes  state  based  on  its  old  state  and  the 
messages  it  receives.  Unreliable  processes  can  send  arbitrary  messages,  so  there  are  in  general 
many  possible  computations,  all  of  which  must  satisfy  the  agreement  and  validity  conditions  above. 

We  assume  about  the  general  only  that  it  is  a  possibly- unreliable  data  source  that  communicates  a 
(binary)  value  to  each  of  the  N  processes  in  the  system  before  the  algorithm  begins.  Thus,  the 
general  might  be  one  of  the  N  processes,  or  it  might  be  a  sensor  or  I/O  device  that  all  processes  can 
read.  In  our  formalization,  the  general’s  value  is  encoded  by  each  process’s  start  state.  In  other 
treatments  of  this  problem,  the  general  is  identified  with  one  of  the  N  processes  which  carry  out  Me 
algorithm,  and  each  other  process  starts  in  the  same  state  regardless  of  the  general's  value.  Our 
version  is  slightly  stronger,  for  a  solution  to  our  problem  solves  the  other  version  by  simply  adding  an 
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initial  round  in  which  the  general  sends  his  value  to  each  other  process.  The  converse,  however,  is 
not  in  general  true,  for  an  algorithm  might  make  use  of  the  fact  that  at  most  t-1  unreliable  processes 
remain  when  the  general  has  been  determined  to  be  unreliable  and  is  a  known  one  of  the  processes. 


3.  A  Simplification 

We  give  an  explicit  construction  for  the  case  N  =  3t+  1.  To  handle  the  case  of  N  >  3t  + 1 ,  just  run 
the  given  algorithm  on  any  subset  A  with  )A|  »  3t  + 1 .  After  the  last  round,  a  designated  subset  B  C  A, 
|B|  =  2t  + 1 ,  broadcasts  its  answers  to  all  N  processes.  Since  all  the  (t  + 1  or  more)  reliable  processes 
in  B  agree,  a  simple  majority  vote  gives  all  the  other  reliable  processes  consistent  answers.  This  takes 
only  one  additional  round  and  0(tN)  additional  message  bits  above  and  beyond  the  basic  algorithm. 

4.  Basic  Solution 

NowassumeN  =  3t+1.  Let  LOW  =  t+1  and  HIGH  =  2t+1.  We  describe  a  system  S. 

The  only  pieces  of  information  sent  in  messages  are  process  indices  and  one  special  value 
Formally,  let  I  (the  set  of  message  items)  *  {'*'}  U  [NJ.  Messages  are  sets  of  message  items;  thus, 
each  M,  ■  21. 

A  process  state  consists  of  a  number  (representing  the  current  round)  together  with  a  set  of  “data 
entities'*.  A  data  entity  is  either  the  single  value  0  or  1  (representing  a  value  of  0  or  1  received  from 
the  general)  or  else  a  pair  consisting  of  a  message  item  and  a  process  from  which  that  message  is 
received.  Each  process  remembers  the  initial  value  and  all  the  messages  it  has  ever  received  from 
any  process.  Formally,  a  da/a  entity  is  an  element  of  D  » {0,1}  U  (I  X  (NJ).  A  process  state  q  is  a  pair 
(data(q),  round(q)),  where  data(q)  C  D  and  round(q)  €  N.  That  is,  each  Q,  «  2°  X  N.  The  initial  states 
are  qO,  ■  ((0},0)  and  ql,  >  ({1},0).  The  transition  function  simply  records  all  new  messages 
received,  together  with  their  senders,  and  increments  the  round  number.  That  is, 

f,(q,m1 . m^  »  (data(q)  U  {(x,j)  €  D  |  x  €  m(},  round(q)  +  1). 

Thus,  the  data  component  of  the  process  state  behaves  "monotonical1y"-new  data  entities  can  get 
added  during  the  course  of  an  execution,  but  nothing  is  ever  deleted. 

We  require  some  notation  for  characterizing  process  states.  Let  q  be  any  process  state  and 
let  x€l.  We  define 

W„(q)  -  {j  €  [N]  |  (x,j)  €  data(q)}, 
the  witnesses  to  x,  and  we  let  wx(q)  »  |Wx(q)|.  We  define 
Cfo)«{k€[N)|wk(q)£HIGH}, 
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the  confirmed  processes,  and  we  let  c(q)  =  |C(q)|.  Process  i  initiates  in  q  if  either 

11.  1  €  data(q), 

12.  c(q)  >  LOW  +  T  round(q)/21-1 ,  or 

13.  i  €  W.(q). 

Process  i  commits  in  q  if  c(q)  >  HIGH. 

The  heart  of  the  algorithm  is  the  message  generation  function.  The  function  is  defined  to  be 
monotonic  in  the  data  component  of  the  state  •  more  data  entities  can  only  cause  more  messages  to 
be  sent.  Since  the  data  component  of  the  state  behaves  monotonically,  this  definition  implies  that  any 
message,  once  sent,  will  be  sent  on  all  subsequent  rounds.  This  is  an  obvious  inefficiency  which  is 
removed  by  a  trivial  optimization.  (See  Section  6.)  It  is  useful  to  describe  the  algorithm  in  this  way, 
however,  since  the  monotonic  algorithm  is  easier  to  reason  about  than  its  optimized  version. 

We  define  |i,j(q)  to  be  the  smallest  set  satisfying  the  following  rules: 

Ml.  (Initiation)  If  i  initiates  in  q,  then  .<q). 

M2.  (Direct  witness)  W.(q)  C  ^(q); 

M3.  (Indirect  witness)  If  wk(q)  >  LOW,  then  k  €  /^(q)  for  each  k  €  [N]. 

Finally,  F,  =  {q  €  0 1  i  commits  in  q). 

Theorem  1 :  Let  R  =  2t  +  4.  Then  S  solves  the  Byzantine  Generals  problem  in  R 
>  rounds. 

The  correctness  of  this  algorithm  is  somewhat  subtle  and  is  proved  in  the  next  section.  However, 
the  following  intuition  should  help  the  reader's  understanding. 

During  the  course  of  execution,  processes  initiate  from  time  to  time.  This  means  that  they  know 
that  the  general  has  sent  a  "1 "  to  some  reliable  process  and  that  they  are  proposing  to  accept.  A 
process  announces  initiation  by  sending  a  to  the  other  processes. 

A  process  receiving  a  '*’  becomes  a  witness  to  the  sending  process’s  initiation.  A  process  can 
become  an  "indirect"  witness  by  hearing  about  it  from  at  least  LOW  other  processes,  since  then  at 
least  one  of  them  must  be  reliable.  In  either  case,  it  broadcasts  that  fact  to  all  processes,  including 
itself.  (The  sending  process  will  thus  record  Itself  as  a  witness  at  the  same  time  as  all  other  processes 
do.) 
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A  process  receiving  a  message  item  k  €  [N]  from  process  j  records  the  fact  that  j  claims  to  be  a 
witness  k.  When  at  least  HIGH  distinct  j’s  claim  to  be  witnesses  to  k,  then  k  is  confirmed.  The 
confirming  process  then  knows  one  of  two  things  must  be  true:  Either  k  is  reliable  and  indeed  has 
initiated,  or  k  is  unreliable  but  nevertheless  has  told  at  least  LOW  reliable  processes  that  it  had 
initiated. 

A  process  initiates  on  the  first  round  if  it  receives  a  "I"  from  the  general.  Thereafter,  it  can  only 
initiate  if  it  has  confirmed  sufficiently  many  initiations  by  other  processes.  This  threshold  number  for 
initiation  starts  out  at  LOW  and  increases  by  one  every  two  rounds  until  it  reaches  HIGH.  By  that  time, 
either  at  least  LOW  reliable  processes  will  have  initiated  or  it  is  no  longer  possible  for  a  reliable 
process  to  initiate.  In  the  former  case,  after  three  more  rounds  every  reliable  process  will  commit.  In 
the  latter  case,  no  reliable  process  can  commit.  The  delicate  part  of  the  algorithm  concerns  these  last 
two  facts;  namely,  initiating  and  committing  are  easy  enough  so  that  as  soon  as  LOW  reliable 
processes  initiate,  then  an  avalanche  begins  which  results  in  all  reliable  processes  initiating  and 
committing  a  small  number  of  rounds  later.  On  the  other  hand,  committing  is  hard  enough  so  that  no 
process  commits  in  the  last  three  rounds  except  as  a  result  of  an  avalanche  started  earlier. 

5.  Proof  of  Correctness 

The  following  lemmas  prove  Theorem  1  and  establish  the  correctness  of  the  algorithm.  All  refer  to 
a  fixed  (T.v)-computation  q(0), ...,  q(R),  R  =  2t  +  4,  with  associated  messages  m.^r),  i,j  €  [N],  0  ^  r  < 
R. 


Lemma  2  formalizes  the  monotonicity  properties  of  process  states. 

Lemma  2:  Let  0  ^  r’  £  r  £  R,  i  €  T.  Then  Wx(q,(r’))  C  Wx(q.(r))  for  all  x  €  I,  and 
C(q.fr’))  C  C(q{(r)).  Moreover,  if  i  initiates  (commits)  in  q.(r’),  then  i  initiates  (commits)  in 

dis¬ 
proof:  If  r’  a  r,  then  there  is  nothing  to  prove.  So  assume  r'  <  r.  Monotonicity  of  W  and 
C  are  obvious;  hence,  if  i  commits  in  q.(r’),  then  it  commits  in  q((r).  Suppose  i  initiates  in 
q,(r’).  Then  €  m,  ,(0,  so  i  €  W.(qt(r’  + 1)),  and  by  monotonicity  of  W,  i  €  W.(q,(r)).  Thus, 
i  initiates  in  qt(r)  by  Rule  13. 

□ 

The  next  lemma  says  that  whenever  a  truthteller  initiates,  it  is  confirmed  at  all  truthtellere  two 
rounds  later. 

Lemma  3:  Let  i,  j  €  T.  If  I  initiates  in  q((r),  0  r  <J  R-2,  then  i  €  C(q((r + 2)). 

Proof:  Let  k  6  T.  Then  i  €  W.(qk(r  +  1))  by  Rule  Ml.  Similarly,  k  €  W,(q.(r+ 2))  by  Rule 
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M2.  Hence,  W((q.(r + 2))  D  T.  The  lemma  follows  since  |T|  >  HIGH. 


□ 


Next,  we  show  that  whenever  all  truthtellers  initiate,  they  all  commit  two  rounds  later. 

Lemma  4:  Let  0  <  r  <  R-2.  If  all  i  €  T  initiate  in  q^r),  then  all  i  €  T  commit  in  q.(r + 2). 
Proof:  By  Lemma  3,  i  €  C(q.(r+2))  for  all  j  €  T;  hence,  c(c|.(r + 2))  >  HIGH. 

□ 


The  next  lemma  describes  some  information  that  the  views  of  different  truthtellers  at  the  same 
round  must  have  in  common. 

Lemma  5:  Let  i,j,k  6  T,  x  €  I.  Then  k  €  Wx(q.(r))  iff  k  €  Wx(q.(r)). 

Proof:  Follows  from  an  easy  induction  on  r  using  the  fact  that  reliable  processes 
always  broadcast  their  messages  to  every  process. 


□ 


Next,  we  show  the  important  fact  that  any  process  which  gets  confirmed  at  one  truthteller,  will  be 
confirmed  at  all  truthtellers  one  round  later. 

Lemma  6:  Let  0  ^  r  <  R-1 ,  j,  k  €  T.  If  i  €  C(qk(r))  then  i  €  Cfq^r + 1)). 

Proof:  Since  i  €  C(qk(r)),  there  is  a  set  A  C  T  n  Vtyq^r))  with  |A|  =  LOW.  Let  j’  € 

T.  Then  by  Lemma  5,  A  C  W,(q.,(r)).  Thus,  i  €  m^  (r),  by  Rule  M3.  Hence,  j’€  Wj(qj(r+ 1)). 
Thus,  i  €  C(q.(r+ 1)). 

□ 

Lemma  7:  Let  0  r  <  R,  i,  j  €  T.  If  I  commits  in  q.(r),then  J  commits  in  q^(r+ 1). 

Proof:  by  Lemma  6. 

□ 


The  next  lemma  says  that  if  there  are  sufficiently  many  witnesses  for  a  truthteller,  then  that 
truthteller  has  actually  initiated. 

Lemma  8:  Let  i  j  €  T.  If  w((q^(r))  ^  LOW,  then  r  £  2  and  I  initiates  in  q,(r-2). 

Proof:  We  proceed  by  induction  on  r.  Suppose  the  lemma  is  true  for  all  r'<r,  for  r  0, 
and  suppose  w,(q.(r))  >  LOW.  Then  there  is  some  k  €  T  O  W,(q((r)).  But  then  r  £  1  and  i  € 
mkJ  (M),  and  this  is  either  because  of  M2  or  M3.  If  it  is  because  of  M2,  then  I  €W.(qk(r-1)), 
so  that  r  £  2  and  €  m(  k(r-2)  and  hence  i  initiates  in  q,(r-2).  If  it  is  because  of  M3,  then 
w,(qk(r-1))  LOW.  Then  by  induction,  r-1  ^  2  and  i  initiates  in  q,(r-3).  Application  of 
Lemma  2  shows  that  I  initiates  in  q((r-2). 
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The  following  lemma  follows  easily  from  Lemma  8. 

Lemma  9:  Let  i  €  T,  and  suppose  i  commits  in  q^r).  Then  r  >  2  and  there  is  a  set  A  C 
T  with  |A|  =  LOW  such  that  every  j  €  A  initiates  in  qj(r-2). 

Proof:  c(q.(r))  >  HIGH,  so  there  is  a  set  A  C  T  D  C(q.(r))  with  |A|  =  LOW.  Each  j  €  A 
has  w.(qj(r))  >  HIGH;  hence,  by  Lemma  8,  r  >  2  and  j  initiates  in  q.(r-2). 

□ 

The  following  key  lemma  says  that  whenever  LOW  truthtellers  initiate,  then  all  truthtellers  commit 
four  rounds  later.  This  is  the  "avalanche"  described  in  the  intuitive  discussion  of  the  algorithm. 

Lemma  10:  Let  0  <  r  <  R-4.  If  there  is  a  set  A  C  T,  |A|  =  LOW,  such  that  all  i  €  A 
initiate  in  q^r),  then  all  j  €  T  commit  in  qf(r  +  4). 

Proof:  Let  r’  be  the  least  number  such  that  all  i  €  A  initiate  in  q.(r’).  By  Lemma  3,  A  C 
C(qj(r’  +  2))  for  all  j  €  T.  We  now  argue  that  j  initiates  in  q.(r’  +  2)).  It  will  then  follow  by 
Lemma  4  that  j  commits  in  q^r'  +  4),  and  hence  also  in  q.(r + 4)  by  Lemma  2. 

If  r*  =  0,  then  cfa^r'  +  2))  >  |A|  =  LOW  +  T(r’  +  2)/2T  - 1.  Thus,  j  initiates  in  q.(r’  +  2)  by 
Rule  12.  If  r'  >  0,  then  there  is  some  k  €  A  such  that  k  initiates  in  qk(r’)  and  k  does  not 
initiate  in  qk(r’-1).  Then  k  initiates  in  qk(r’)  using  Rule  12,  so  c(qk(r’))>  LOW  +  rr'/2T-1.  If 
k  €  C(qk(r’)),  then  Lemma  8  implies  that  k  initiates  in  qk(r'-2),  a  contradiction  (using  Lemma 
2).  Thus,  k  $  C(qk(r')).  By  Lemmas  2  and  6,  Cfq^r’  +  2))  D  C(qk(r’))  for  all  j  €  T.  By  Lemma 
3,  k  €  C(q.(r’  +  2)).  Hence,  c(q.(r’  +  2))  >  LOW  +  rr’/2T  =  LOW  +  r(r’  +  2)/2  T  - 1.  Thus,  j 
initiates  in  q.(r’  +  2)  by  Rule  12  as  desired. 

□ 

We  are  now  ready  to  prove  the  properties  required  for  Theorem  1  -  agreement  and  validity. 

•  Lemma  1 1 :  If  any  i  C  T  commits  in  qj(R),  then  all  j  €  T  commit  in  qj(R). 

Proof:  Assume  i  €  T  commits  in  q,(R).  By  Lemma  9,  there  is  a  set  A  C  T  with  |A|  = 

LOW  such  that  every  j  €  A  initiates  in  q,(R-2). 

We  consider  two  cases.  First,  assume  all  j  €  A  initiate  in  q.(R-4).  In  this  case,  Lemma 
10  implies  the  result.  Second,  assume  that  some  j  C  A  initiates  in  q.(r)  but  not  in  q.(r-l),  for 
some  r  €  {R-3.R-2}.  Then  j  initiates  by  12.  Then  c(qj(r))  >  LOW  +  Fr/21-1  >  LOW  +  t  a 
HIGH,  so  j  commits  in  q^r).  Then  Lemmas  7  and  2  imply  the  result. 
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Lemma  1 2:  Let  i  €  T. 

(a)  If  v  =  0,  then  q.(R)  i  F. 

(b) lfv  =  1,thenq.(R)€Fr 

Proof:  (a)  v  =  0.  Suppose  i  commits  in  q^R).  Then  by  Lemma  9,  there  is  an  element  j 
€  T  that  initiates  in  q.(R-2).  Consider  the  least  r  for  which  some  j  €  T  initiates  in  q^r). 
Clearly  r  >  0  by  the  initial  conditions.  Hence,  j  initiates  by  Rule  12,  so  c(qj(r))  >  LOW.  Thus, 
there  is  a  k  €  T  fl  C(q.(r)),  so  w.  (q.(r))>  HIGH.  But  then  it  follows  from  Lemma  NANCY7 
that  k  initiates  in  qk(r-2),  contradicting  the  choice  of  r.  We  conclude  that  q^R)  <£  F.. 

(b)  v  =  1.  Each  i  €  T  initiates  in  q.(0)  by  Rule  II.  By  Lemma  4,  each  i  €  T  commits  in 
Qj(2).  Thus,  q(  (R)  6  F,. 


6.  Complexity  Analysis 

Since  |l|  =  N  +  1,  each  message  item  can  be  encoded  by  0(log  N)  bits,  and  a  message  m 
consisting  of  k  message  items  can  be  encoded  in  length  0(k  log  N).  The  algorithm  of  the  previous 
section  sends  N2  messages  on  each  round,  and  each  message  potentially  contains  N  +  1  message 
items;  hence  an  upper  bound  on  the  number  of  message  bits  sent  is  0(N2  R  (N+  1)  log  N)  = 
0(t4  log  t).  (The  log  factor  can  be  eliminated  by  a  bitwise  encoding  of  the  entire  message.) 

A  minor  modification  of  the  algorithm  however  results  in  a  saving  of  the  factor  of  R.  The  algorithm 
is  monotone  in  the  sense  that  data  entities  are  never  deleted  from  the  data  part  of  the  state,  and 
incoming  messages  have  no  effect  except  to  be  added  into  the  state.  Thus,  the  algorithm  would 
operate  exactly  the  same  if  each  message  item  were  sent  from  i  to  j  only  once.  The  only  change  to  the 
algorithm  would  be  that  each  process  would  have  to  remember  in  its  state  which  messages  had 
previously  been  sent  out  and  to  whom,  and  to  omit  sending  a  previously-sent  message.  The  result  is 
that  each  process  i  would  send  a  maximum  of  |l|  message  items  to  each  process  j  during  the  entire 
course  of  the  algorithm.  The  total  number  of  message  bits  then  would  be 
0(N2  (N  + 1)  log  N)  =  0(t3  log  t). 

.  Combining  the  ideas  of  the  previous  paragraph  with  those  of  Section  3,  we  obtain: 

Theorem  1 3:  There  is  an  algorithm  which  solves  the  Byzantine  Generals  problem  for  t 
unreliable  processes  out  of  a  total  of  N  >  3t  +  1,  uses  2t  +  5  rounds  of  information 
exchange,  and  sends  0(t3  log  t  +  tN)  message  bits. 
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